- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 27 Nov 2008 19:48:53 +0100
- To: HTTP Working Group <ietf-http-wg@w3.org>
Hi,
over on the what wg list, the topic of how to implement a site that
offers both authenticated and anonymous access is being discussed (see
around
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-November/017562.html>).
An interesting proposal is to continue returning content with status
200, but to include the WWW-Authenticate header nevertheless. RFC2616
currently is silent about this combination:
"14.47 WWW-Authenticate
The WWW-Authenticate response-header field MUST be included in 401
(Unauthorized) response messages. The field value consists of at least
one challenge that indicates the authentication scheme(s) and parameters
applicable to the Request-URI.
WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge
The HTTP access authentication process is described in "HTTP
Authentication: Basic and Digest Access Authentication" [43]. User
agents are advised to take special care in parsing the WWW-Authenticate
field value as it might contain more than one challenge, or if more than
one WWW-Authenticate header field is provided, the contents of a
challenge itself can contain a comma-separated list of authentication
parameters." --
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47>
Has anybody tried this before?
BR, Julian
Received on Thursday, 27 November 2008 18:52:43 UTC